From 89af35175d97cf90e7336d3c817612fafc68dbdb Mon Sep 17 00:00:00 2001 From: TomSweeneyRedHat Date: Tue, 19 Jun 2018 10:03:34 -0400 Subject: Add cap-add and cap-drop to build man page Signed-off-by: TomSweeneyRedHat Closes: #968 Approved by: mheon --- docs/podman-build.1.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'docs') diff --git a/docs/podman-build.1.md b/docs/podman-build.1.md index b49f60329..862ba3490 100644 --- a/docs/podman-build.1.md +++ b/docs/podman-build.1.md @@ -47,6 +47,26 @@ resulting image's configuration. Images to utilize as potential cache sources. Podman does not currently support caching so this is a NOOP. +**--cap-add**=*CAP\_xxx* + +When executing RUN instructions, run the command specified in the instruction +with the specified capability added to its capability set. +Certain capabilities are granted by default; this option can be used to add +more. + +**--cap-drop**=*CAP\_xxx* + +When executing RUN instructions, run the command specified in the instruction +with the specified capability removed from its capability set. +The CAP\_AUDIT\_WRITE, CAP\_CHOWN, CAP\_DAC\_OVERRIDE, CAP\_FOWNER, +CAP\_FSETID, CAP\_KILL, CAP\_MKNOD, CAP\_NET\_BIND\_SERVICE, CAP\_SETFCAP, +CAP\_SETGID, CAP\_SETPCAP, CAP\_SETUID, and CAP\_SYS\_CHROOT capabilities are +granted by default; this option can be used to remove them. + +If a capability is specified to both the **--cap-add** and **--cap-drop** +options, it will be dropped, regardless of the order in which the options were +given. + **--cert-dir** *path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. @@ -360,9 +380,17 @@ Directly specifies a UID mapping which should be used to set ownership, at the filesytem level, on the working container's contents. Commands run when handling `RUN` instructions will default to being run in their own user namespaces, configured using the UID and GID maps. + Entries in this map take the form of one or more triples of a starting in-container UID, a corresponding starting host-level UID, and the number of consecutive IDs which the map entry represents. + +This option overrides the *remap-uids* setting in the *options* section of +/etc/containers/storage.conf. + +If this option is not specified, but a global --userns-uid-map setting is +supplied, settings from the global option will be used. + If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-uid-map are specified, but --userns-gid-map is specified, the UID map will be set to use the same numeric values as the GID map. @@ -373,9 +401,17 @@ Directly specifies a GID mapping which should be used to set ownership, at the filesytem level, on the working container's contents. Commands run when handling `RUN` instructions will default to being run in their own user namespaces, configured using the UID and GID maps. + Entries in this map take the form of one or more triples of a starting in-container GID, a corresponding starting host-level GID, and the number of consecutive IDs which the map entry represents. + +This option overrides the *remap-gids* setting in the *options* section of +/etc/containers/storage.conf. + +If this option is not specified, but a global --userns-gid-map setting is +supplied, settings from the global option will be used. + If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-gid-map are specified, but --userns-uid-map is specified, the GID map will be set to use the same numeric values as the UID map. -- cgit v1.2.3-54-g00ecf